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Topic: Deputy Chief Executive Directorate senior leadership resilience. 


Issue: A proposal to review the senior leadership and departmental 
composition of the DCEO directorate and introduce the ICO’s DPO role in 
readiness for GDPR. SLT informally considered the following proposals in 
mid April. Since then staff and trade unions have been consulted. The 
proposals now return to SLT for formal consideration and sign off. 


Background: 

Following the appointment of a permanent DCEO, there is a pressing need 
to see the senior management roles within the DCEO directorate filled 
with permanent appointments to ensure stability and continuity. The 
substantive departmental structure for the directorate as at 31 December 
2016 is shown below. 


Fig 1.0 - Current Substantive Structure 
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The recent Corporate Governance review has also highlighted some 
potential opportunities for improvement in our governance arrangements. 
We must also make provision within the directorate for a Data Protection 
Officer in readiness for GDPR and as part of a refreshed internal 
assurance/ accountability framework. 


The ICO is growing due to the demands placed on the organisation 
through a rising profile and major changes in the regulatory environment. 
The changes proposed in this document are in recognition that the ICO 
will be a very different organisation in two years time. We will be 
significantly larger and with greater challenges when it comes to 
achieving service levels, resourcing our infrastructure and maintaining the 
necessary standards of governance and compliance for an organisation 
with in excess of 500 employees. What has worked in the past needs to 
evolve to continue to work in the future. 


It should be noted that the proposal does not impact on the resources 
identified to focus on the Change Programme. This resource continues to 
report direct into the DCEO for the duration of the Change Programme. 


Discussion: 
There are two main parts to the proposal. 


Part one: Split of Customer and Business Services 

We are proposing to have a separate ‘Customer Contact’ and a separate 
‘Business Development and IT’ department in place of the substantive 
Customer and Business Services department shown in Fig 1.0 above. 


It is worth noting that until 2014 we had a separate Customer Contact 
and a separate IT department, each with their own department head. This 
proposal therefore returns the structure to those arrangements but 
retains the collaborative working of recent years within the DCEO 
directorate. 


Making this change would essentially establish the interim structure in 
place since 1 January this year as the substantive structure as shown in 
Fig 2.0 below. 


Fig 2.0 - Current Interim Structure 


Business 


Customer Organisational 


Development and IT Assurance 
IT 


Finance Corporate Affairs 


Contact Development 


Implications 
Making this change would increase the number of substantive 


departments in the directorate by one and mean a small number of staff 
would report to different line managers but without change to their own 
roles. 


The cost of this part of the proposal would be the cost of a further Level G 
department head role, with this being approximately £65,000 including NI 
and pensions contributions. 


Part two: Creation of Risk and Governance department and 
introduction of DPO role 

A second element of the proposal follows the decision to bring the 
Corporate Affairs department within the DCEO directorate. At present the 
Corporate Governance function (including the Private Office) sits within 
the Corporate Affairs department. The Records and Information 
Management function (including the Information Access Service) sits 
within the Customer and Business Services department and the 
Information Security function sits with the IT Assurance department. 


These three governance functions are critical to the ICO’s own compliance 
under GDPR as well as our ability to manage strategic risks and 
opportunities as the organisation grows and develops. 


It is therefore proposed that these three functions join together to form a 
new ‘Risk and Governance’ department within the DCEO directorate. 


It is also proposed that the head of the new Risk and Governance 
department would fulfil the role of Data Protection Officer for the ICO, 
reporting direct to the DCEO/SIRO and alongside the other key roles in 
the ICO’s internal assurance/accountability framework. 


The cost of this second part of the proposal would be a further £65,000 to 
cover the cost of an additional level G Head of Risk and Governance role. 


Implications 
This part of the proposal would lead to a change of line management for 


some roles in the directorate but without changes to the roles 
themselves. For example, the Corporate Governance Group manager and 
the Information Security Manager. A slight change of job title for the 
Corporate Governance Group Manager is however likely, with this 
reflecting the Private Office responsibilities of the post holder. 


There are however two roles which would change as a result of this part 
of the proposal. 


The Head of Corporate Affairs would no longer be responsible for 
Corporate Governance, but this represents a very small part of the 
present role’s daily responsibilities. Whilst a minor amendment may be 
needed to the Head of Corporate Affairs job role this would not warrant 
the role being evaluated. 


The Corporate Affairs Department would become the Corporate 
Communications Department as a result of this change. 


A further implication of this part of the proposal is for the IT Assurance 
Department, which effectively loses its department status when the 
Information Security resources are redeployed to other parts of the DCEO 
directorate. 


The Head of IT Assurance role would remain as our senior technical lead 
on the technical design and implementation of the ICO’s digital and ICT 
systems and services and our cyber defences. The new look role will 
however need to be evaluated to consider the impact of this rebalancing 
of responsibilities given that there will be very little line management 
responsibility remaining. 


Whatever the outcome of this evaluation the role would still report direct 
to the DCEO/SIRO as the |CO's ‘Accreditor’ within our internal 
assurance/accountability framework. 


Options: 

The two parts of this proposal have been developed to enable them to be 
accepted in full, rejected entirely or for one to be accepted without the 
other. These are therefore the options available. 


The acceptance of both parts of the proposal is however encouraged as an 
important step towards establishing a robust leadership structure for the 
directorate in support of the wider development of the ICO. Below is the 
proposed future structure for the directorate should both parts of the 
proposal be accepted. 


Fig 3.0 — Proposed Future Structure 
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Next steps: 


If this proposal was accepted then new job roles would need to be created 
and evaluated for the roles of Head of Risk and Governance as well as the 
re-shaped senior IT Assurance role. 


SLT gave informal agreement to this proposal in early April. Since then 
those staff involved have been consulted as well as the ICO’s PCS and 
FDA trade unions. All ICO staff were also asked for their comments and 
feedback via a recent DCEO blog on the intranet. 


The proposal therefore returns to SLT formally at this meeting to enable 
feedback gathered through the consultation to be discussed and a formal 
decision made in response to the proposal. 


If the proposal is formally accepted, recruitment to all agreed vacant 
positions would then take place as soon as possible. The present interim 
arrangements would remain in place until then. 


